API rate limits

All API endpoints enforce per-key rate limits using a sliding window counter backed by Hammer (Redis).

Platform docs

Error responses Rate limits Pagination Webhooks Authentication Versioning Idempotency Billing plans Billing flows

Details

Default limits

1000 requests per 60 seconds

The default rate limit per key, configurable via application env. The rate limit key is derived from credential ID (agent auth), user ID (operator session), or client IP (fallback).

Response headers

x-ratelimit-remaining

Requests remaining in the current window. Included in every successful response.

Response headers

x-ratelimit-reset

ISO 8601 timestamp indicating when the current rate limit window resets.

Code example

When rate limited (HTTP 429)

Response format

Returns a retry-after header (seconds until window reset), an RFC 9457 problem body with type https://robotscenter.net/problems/rate-limited, and extra.retry_after_seconds in the response body.

HTTP/1.1 429 Too Many Requests
retry-after: 42
content-type: application/json

{
  "type": "https://robotscenter.net/problems/rate-limited",
  "title": "Rate limited",
  "status": 429,
  "detail": "Rate limit exceeded. Retry after 42 seconds.",
  "request_id": "req-abc123",
  "extra": { "retry_after_seconds": 42 }
}

Details

Configuration

Environment variables

Limits are configurable per deployment via application environment: config :agent_ops, AgentOps.Limits, api_rate_limit: 1000, api_rate_period: 60_000.

Related docs

Errors

RFC 9457 error format including 429

Authentication

How rate limit keys are derived